Smart Home Hubs are used to control lighting, heating, locks and cameras in people’s homes. Unsurprisingly, many security experts worry about the privacy and safety risks associated with these devices since the technology is in relative infancy.
In order to understand the risks associated with Smart Home Hubs, Tripwire carried out a security analysis on three top-selling devices: Mios Vera, Wink Hub, and the SmartThings Hub.
Researchers found security vulnerabilities in each. These flaws could allow attackers to identify when people are out of their home, change alarm settings, open locks without authorization, access local area networks, or use them for DDoS purposes.
In the case of Vera and Wink, Tripwire was able to create a malicious web page which when accessed gave the web page operator full control of the system through various input validation failures.
The SmartThings Hub also had a vulnerability regarding validation of secured communication. The flaw would only be exploitable by someone with a privileged position on the network like a telecom company or a state sponsored attacker.
“Smart Home Hubs are steadily growing in popularity, however as with many consumer technology products, functionality has trumped security,” said Craig Young, security researcher for Tripwire. “The threat is relatively low just now but I believe it will increase as malicious actors recognize how much information can be gained by attacking these devices.”
All three Smart Home Hub vendors have been notified of the security flaws. Currently two out of the three vendors have issued patches. Left unpatched, some of the vulnerabilities can be exploited by malicious web pages or smartphone applications to execute commands with system level access.
While these products generally don’t offer download links for their firmware, they have options in the product interface to check for and install updates. Mios is an exception to this in that they have firmware images for testing available on their forum but as of last communication they had not produced a fixed firmware.